Search Results

Wednesday, January 27, 2016

SOA Web service security

A simple way of protecting web-services from unauthorized access is to use standard WS security. Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services.

Oracle SOA suite 11g/12c provides an out of the box WS-Policies to protect web-services and to securely call a protected web service. In this article I'll show you how to do this.

How to protect a web-service with username and password

  • Open the composite.xml
  • Right Click on the exposed services and click Configure SOA WS policies..

  • Under Security click on the + button
  • Scroll down and select oracle/wss_username_token_service_policy and then OK

  • Now deploy and test. Very simple, isn't it?
  • For OSB, the same option is available on the proxy services.
  • To test this webservice WSSE header has to be passed with username and password
    • Please note that the username/password should be defined in the weblogic server. Refer the section below to learn how to create weblogic user.
Example webservice call:

<soapenv:Envelope xmlns:soapenv="" xmlns:bpel="">
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="">
         <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="">
            <wsse:Password Type="">welcome1</wsse:Password>

How to call a protected web-service

Now that we protected the service from unauthorized access, how do we call it from another webservice?
  • Open the composite.xml
  • Right Click on the external reference and click Configure SOA WS policies..
  • Under Security click on the + button
  • Scroll down and select oracle/wss_username_token_client_policy and then OK
  • For OSB, same option is available on the business-services.
  • Username and password to be passed to the service should be configured as KEYS in EM console > security credentials section. Refer next section to learn how to do that
  • The configured key has to be entered in the csf-key property in the Reference tag in the composite.xml as highlighted below.
<reference name="asyncProc"
    <interface.wsdl interface=""/>
    < port=""
      <property name="weblogic.wsee.wsat.transaction.flowOption" type="xs:string" many="false">WSDLDriven</property>
      <property name="csf-key" type="xs:string" many="false">TestKey</property>

How to configure keys in Weblogic server

  • Log on to weblogic em console
  • Right click on Weblogic Domain > Default Domain
  • Click on Security > Credentials 
  • Create a new map ( create a key under
    • I think the map name has to

How to create an user in Weblogic server

This is a very simple configuration where there are no external identity stores are configured with weblogic server (like OID or MS Active directory)

  • Go to Weblogic Console home > Security Realms > myrealm
  • Click on Users and Groups tab
  • Click on New button and enter username/password details.

Post a Comment